Cryptography in the 
Bounded Quantum-Storage Model 



Ivan B. Damgard'* Serge Fehr§ Louis SalvaiF*™ 
Christian Schaffner"''" 

February 1, 2008 
Abstract 

We initiate the study of two-party cryptographic primitives with 
unconditional security, assuming that the adversary's quantum mem- 
ory is of bounded size. We show that oblivious transfer and bit com- 
mitment can be implemented in this model using protocols where hon- 
est parties need no quantum memory, whereas an adversarial player 
needs quantum memory of size at least n/2 in order to break the pro- 
tocol, where n is the number of qubits transmitted. This is in sharp 
contrast to the classical bounded-memory model, where we can only 
tolerate adversaries with memory of size quadratic in honest players' 
memory size. Our protocols are efficient, non-interactive and can be 
implemented using today's technology. On the technical side, a new 
entropic uncertainty relation involving min-entropy is established. 

1 Introduction 

It is well known that non-trivial 2-party cryptographic primitives cannot 
be securely implemented if only error-free communication is available and 
there is no limitation assumed on the computing power and memory of 
the players. Fundamental examples of such primitives are bit commitment 
(BC) and oblivious transfer (OT). In BC, a committer C commits himself to 
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a choice of a bit b by exchanging information with a verifier V. We want that 
V does not learn b (we say the commitment is hiding), yet C can later chose 
to reveal 6 in a convincing way, i.e., only the value fixed at commitment time 
will be accepted by V (we say the commitment is binding). In (Rabin) OT, 
a sender S sends a bit b to a receiver R by executing some protocol in such 
a way that R receives b with probability ^ and nothing with probability 5, 
yet S does not learn what was received. 

Informally, BC is not possible with unconditional security since hiding 
means that when is committed, exactly the same information exchange 
could have happened when committing to a 1. Hence, even if was actually 
committed to, C could always compute a complete view of the protocol 
consistent with having committed to 1, and pretend that this was what he 
had in mind originally. A similar type of argument shows that OT is also 
impossible in this setting. 

One might hope that allowing the protocol to make use of quantum com- 
munication would make a difference. Here, information is stored in qubits, 
i.e., in the state of two-level quantum mechanical systems, such as the polar- 
ization state of a single photon. It is well known that quantum information 
behaves in a way that is fundamentally different from classical information, 
enabling, for instance, unconditionally secure key exchange between two 
honest players. However, in the case of two mutually distrusting parties, we 
are not so fortunate: even with quantum communication, unconditionally 
secure BC and OT remain impossible |18 ( 12 lj . 

There are, however, several scenarios where these impossibility results 
do not apply, namely: 

• if the computing power of players is bounded, 

• if the communication is noisy, 

• if the adversary is under some physical limitation, e.g., the size of the 
available memory is bounded. 

The first scenario is the basis of many well known solutions based on 
plausible but unproven complexity assumptions, such as hardness of factor- 
ing or discrete logarithms. The second scenario has been used to construct 
both BC and OT protocols in various models for the noise |H1IH1^D- The 
third scenario is our focus here. In this model, OT and BC can be done 
using classical communication assuming, however, quite restrictive bounds 
on the adversary's memory size (HI E] > namely it can be at most quadratic 
in the memory size of honest players. Such an assumption is on the edge of 
being realistic, it would clearly be more satisfactory to have a larger sepa- 
ration between the memory size of honest players and that of the adversary. 
However, this was shown to be impossible |15j . 

In this paper, we study for the first time what happens if instead we 
consider protocols where quantum communication is used and we place a 
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bound on the adversary's quantum memory size. There are two reasons 
why this may be a good idea: first, if we do not bound the classical memory 
size, we avoid the impossibility result of ^2] . Second, the adversary's typical 
goal is to obtain a certain piece of classical information that we want to keep 
hidden from him. However, if he cannot store all the quantum information 
that is sent, he must convert some of it to classical information by measuring. 
This may irreversibly destroy information, and we may be able to arrange 
it such that the adversary cannot afford to lose information this way, while 
honest players can. 

It turns out that this is indeed possible: we present protocols for both 
BC and OT in which n qubits are transmitted, where honest players need no 
quantum memory, but where the adversary must store at least n/2 qubits 
to break the protocol. We emphasize that no bound is assumed on the 
adversary's computing power, nor on his classical memory. This is clearly 
much more satisfactory than the classical case, not only from a theoretical 
point of view, but also in practice: while sending qubits and measuring 
them immediately as they arrive is well within reach of current technology, 
storing even a single qubit for more than a fraction of a second is a formidable 
technological challenge. Furthermore, we show that our protocols also work 
in a non-ideal setting where we allow the quantum source to be imperfect 
and the quantum communication to be noisy. 

We emphasize that what makes OT and BC possible in our model is 
not so much the memory bound per se, rather it is the loss of information 
it implies on the part of the adversary. Indeed, our results also hold if 
the adversary's memory device holds an arbitrary number of qubits, but is 
imperfect is certain ways. This is discussed in more detail in Section [5J 

Our protocols are non-interactive, only one party sends information when 
doing OT, commitment or opening. Furthermore, the commitment protocol 
has the interesting property that the only message is sent to the commit- 
ter, i.e., it is possible to commit while only receiving information. Such a 
scheme clearly does not exist without a bound on the committer's memory, 
even under computational assumptions and using quantum communication: 
a corrupt committer could always store (possibly quantumly) all the infor- 
mation sent, until opening time, and only then follow the honest committer's 
algorithm to figure out what should be sent to convincingly open a or a 1. 
Note that in the classical bounded-storage model, it is known how to do 
time-stamping that is non-interactive in our sense: a player can time-stamp 
a document while only receiving information [22] . However, no reasonable 
BC or protocol that time-stamps a bit exist in this model. It is straight- 
forward to see that any such protocol can be broken by an adversary with 
classical memory of size twice that of an honest player, while our proto- 
col requires no memory for the honest players and remains secure against 
any adversary not able to store more than half the size of the quantum 
transmission. 
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We also note that it has been shown earlier that BC is possible using 
quantum communication, assuming a different type of physical limitation, 
namely a bound on the size of coherent measurement that can be imple- 
mented |25j . This limitation is incomparable to ours: it does not limit the 
total size of the memory, instead it limits the number of bits that can be 
simultaneously operated on to produce a classical result. Our adversary 
has a limit on the total memory size, but can measure all of it coherently. 
The protocol from is interactive, and requires a bound on the maximal 
measurement size that is sub-linear in n. 

On the technical side, we derive a new type of uncertainty relation in- 
volving the min-entropy of a quantum encoding (Theorem 13.71 and Corol- 
lary EH)- The relation is in a suitable form to apply privacy amplification 
against quantum adversaries as introduced by Renner and Konig [23]. 

2 Preliminaries 

2.1 Notation 

For a set / = C {l,...,n} and a n-bit string x £ {0, l} n , 

we define x\i : = x^x^ ■ ■ ■ Xi e . For x,y G {0, l} n , x • y £ {0, 1} denotes the 
(standard) in-product of x and y. For a probability distribution Q over 71- 
bit strings and a set L C {0, l} n , we abbreviate the (overall) probability of 
L with Q(L) := ^ iei Q(4 All logarithms in this paper are to base two. 
We denote by h(p) the binary entropy function h(p) : = — (p • logp + (1 — 
p) • log (1 — p)). We denote by negl(n) any function of n smaller than any 
polynomial provided n is sufficiently large. For x £ {0, l} n , we write B Sn (x) 
for the set of all n-bit strings at Hamming distance at most 5n from x. Note 
that the number of elements in B Sn (x) is the same for all x, we denote it by 
B 8n ._ \B Sn (x)\. It is well known that B Sn < 2 nh ^ . 

The pair {|0), |1)} denotes the computational or rectilinear or "+" basis 
for the 2-dimensional complex Hilbert space C 2 . The diagonal or "x" basis 
isdefinedas{|0) x ,|l) x } where |0) x = -^(|0) + |1)) and |l) x = ^(|0)-|1)). 
Measuring a qubit in the + -basis (resp. x -basis) means applying the mea- 
surement described by projectors |0)(0| and |1)(1| (resp. projectors |0) x (0| x 
and |l) x (l| x ). When the context requires it, we write |0) + and |1) + instead 
of |0) respectively |1); and for any x S {0, l} n and r £ {+, x}, we write 
\ x ) r = ®i=l \ x i) r - ^ we wan t to choose the + or x-basis according to the 
bit b G {0,1}, we write { + , x}m. 

2.2 Quantum Probability Theory 

As basis for the security definitions and proofs of our protocols, we are 
using the formalism introduced in [2S], which we briefly summarize here. 
A random state p is a random variable, with distribution P p , whose range 
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is the set of density operators of a fixed Hilbert space. The view of an 
observer (which is ignorant of the value of p) is given by the quantum 
system described by the density operator [p] := J2 P Pp(p)P- 111 general, for 
any event S, we define [p\£] '■= P p \e(p)P- K P is dependent on some 
classical random variable X, with joint distribution Pxp, we also write p x 
instead of [p\X = x\. Note that p x is a density operator (for any fixed x) 
whereas px is again a random state. The overall quantum system is then 
given by [{X} tg p] = Y^ x Px{x) {x] (g p x , where {x} : = \x)(x\ is the state 
representation of x and {X} the corresponding random state. Obviously, 
[{X} (g p] = [{X}] (g) [p] if and only if px is independent of X, where the 
latter in particular implies that no information on X can be learned by 
observing only p. Furthermore, if [{X} (g p] and [{X}] <g [p] are e-close in 
terms of their trace distance 6(p,a) = |tr(|/9 — <r|), then the real system 
[{X} (g p] "behaves" as the ideal system [{X}] (g [p] except with probability 
e [23] in that for any evolution of the system no observer can distinguish the 
real from the ideal one with advantage greater than e. Henceforth, we use 
unif to denote a random variable with range {0, 1}, uniformly distributed 
and independent of anything else, and, as in [23], we use d(X\p) as a short 
hand for <5([{A} (g p], [{unif}] (g [p]). 

We consider the notion of the classical Renyi entropy H a (X) of order 
a of a random variable X [21]) as well as its generalization to the Renyi 
entropy S a (p) of a state p It holds that ^([{X}]) = H a (X) and 

5" a ([{X}]) < ^([{X}]) if a > (5. The cases that are relevant for us are 
the classical min-entropy i?oo(X) = — log (max x Px(x)) as well as the max 
and the collision Von Neumann entropy So(p) = log(rank(p)) respectively 
£>2{p) = — log w^i ^f) ) where are the eigenvalues of p. 

2.3 Bounded Quantum Storage and Privacy Amplification 

All our protocols take place in the bounded quantum- storage model, which 
concretely means the following: the state of an adversarial player may con- 
sist of an arbitrary number of qubits, and he may perform arbitrary quantum 
computation. At a certain point in time though, we say that the memory 
bound applies, which means that all but q of the qubits are measured. Af- 
ter this point, the player is again unbounded in (quantum) memory and 
computing power. We note that our results also apply to some cases where 
the adversary's memory is not bounded but is noisy in certain ways, see 
Section [SJ 

An important tool we will use is universal hashing. A class H n of hashing 
functions from {0, l} n to {0, 1} is called two-universal if for any pair x, y £ 
{0, l} n with x + y 

|{/GH n :/(x) = /(y)}|<&. 
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Several two-universal classes of hashing functions are such that evaluating 
and picking a function uniformly and at random in H n can be done efficiently 

[11221. 

Theorem 2.1 (|23j). Let X be distributed over {0, l} n , and let p be a 
random state of q qubits 1 . Let F be the random variable corresponding 
to the random choice (with uniform distribution and independent from X 
and p) of a member of a two-universal class of hashing functions H n . Then 

d{[F(X)\{F} ® p\) < - 2 -K^([{X}®p])-So([p])-i) (1) 

< I 2 -K jH '-(^)-9-i). (2) 

The first inequality is the original theorem from [22], and (J2J follows 
by observing that S 2 {[{X} ® p\) > S 2 ([{X}]) = H 2 (X) > H^X). In this 
paper, we essentially only use this weaker version of the theorem. 

Note that if the rightmost term of (J2J) is negligible, i.e. say smaller than 
2~ £n , then this situation is 2 _£?1 -close to the ideal situation where F(X) is 
perfectly uniform and independent of p and F. In particular, the situations 
F(X) = and F(X) = 1 are statistically indistinguishable given p and 

The following lemma is a direct consequence of Theorem 12.11 In Sec- 
tionHJ this lemma will be useful for proving the binding condition of our com- 
mitment scheme. Recall that for X £ {0, l} n , B Sn (X) denotes the set of all 
n-bit strings at Hamming distance at most 5n from X and B Sn := l-B^X)) 
is the number of such strings. 

Lemma 2.2. Let X be distributed over {0, l} n , let p be a random state of 
q qubits and let X be a guess for X given p. Then, for all 5 < ^ it holds 
that 

Pr [X e B 5n (X)] < 2~¥ H ^( x )~i~ 1 )+ l °s(B Sn ) _ 

In other words, given a quantum memory of q qubits arbitrarily correlated 
with a classical random variable X, the probability to find X at Hamming 
distance at most 5n from X where nh(5) < ^(H 00 (X) — q) is negligible. 

Proof: Here is a strategy to try to bias F(X) when given X and F H n : 
Sample X' B Sn (X) and output F(X'). Note that, using p S ucc as a short 
hand for the probability Pr [X E B Sn (X)] to be bounded, 

Pr[F(Z') = F(X)]=^+(l-|^)i 

1 Remember that p can be correlated with X in an arbitrary way. In particular, we can 
think of p as an attempt to store the n-bit string X in q qubits. 
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J- Psucc 

~ 2 2 • B 5n ' 

where the first equality follows from the fact that if X' ^ X then, as H n 
is two-universal, Pr [F(X) = F(X')] = i. Since the probability of correctly 
guessing a binary F(X) given F and p is always upper bounded by \ + 
^(^(X)!!^} (8) p), in combination with Theorem 12. II the above results in 

1 Psucc < 1 I 2 -|(^oo(X)-g-l) 

2 ^ 2 • B Sn ~ 2 2 

and the claim follows immediately. □ 



3 Rabin Oblivious Transfer 
3.1 The Definition 

A protocol for Rabin Oblivious Transfer (ROT) between sender Alice and 
receiver Bob allows for Alice to send a bit b through an erasure channel 
to Bob. Each transmission delivers b or an erasure with probability |. 
Intuitively, a protocol for ROT is secure if 

• the sender Alice gets no information on whether b was received or not, 
no matter what she does, and 

• the receiver Bob gets no information about b with probability at least ^, 
no matter what he does. 

In this paper, we are considering quantum protocols for ROT. This means 
that while the inputs and outputs of the honest senders are classical, de- 
scribed by random variables, the protocol may contain quantum computa- 
tion and quantum communication, and the view of a dishonest player is 
quantum, and is thus described by a random state. 

Any such (two-party) protocol is specified by a family {(S n , R n )}n>o of 
pairs of interactive quantum circuits (i.e. interacting through a quantum 
channel). Each pair is indexed by a security parameter n > 0, where S n 
and R n denote the circuits for sender Alice and receiver Bob, respectively. 
In order to simplify the notation, we often omit the index n, leaving the 
dependency on it implicit. 

For the formal definition of the security requirements of a ROT protocol, 
let us fix the following notation. Let B denote the binary random variable 
describing S's input bit b, and let A and B' denote the binary random vari- 
ables describing R's two output bits, where the meaning is that A indicates 
whether the bit was received or not. Furthermore, for a dishonest sender 
S (respectively R) let p<= (p^) denote the random state describing S's (R's) 
view of the protocol. Note that for a fixed candidate protocol for ROT, 
and for a fixed input distribution Pg, depending on whether we consider 
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two honest S and R, a dishonest S and an honest R, or an honest S and a 
dishonest R, the corresponding joint distribution Pbab 1 -, Pp^AB 1 respectively 
Pb p - is uniquely determined. 

Definition 3.1. A two-party (quantum) protocol (S, R) is a (statistically) 
secure ROT if the following holds. 

Correctness: For honest S and R 

Pr [B = B'\A = 1] > 1 - negl(n) . 

Receiver-Privacy: For any S 

d(A|p§) < negl(n) . 

Sender-Privacy: For any R there exists an event £ with P[£] > \ — negl(n) 
such that 

5(lB®p k \£},[B}®lp k \£}) < neglin). 

If any of the above trace distances equals 0, then the corresponding property 
is said to hold perfectly. If one of the properties only holds with respect 
to a restricted class & ofS's respectively 9\ of R 's, then this property is said 
to hold and the protocol is said to be secure against 6 respectively 5H. 

Receiver-privacy requires that the joint quantum state is essentially the 
same as when A is uniformly distributed and independent of the sender's 
view, and sender-privacy requires that there exists some event which occurs 
with probability at least \ (the event that the receiver does not receive the 
bit) and under which the joint quantum state is essentially the same as when 
B is distributed (according to Pg) independently of the receiver's view. 

We warn the reader that the above definition does not guarantee that 
the ROT protocol is equivalent to an "ideal black-box implementation" of 
ROT, so it does not guarantee universal composability, for instance. One 
main reason for this is that, unlike the classical case [7j, receiver-privacy 
as we define it does not guarantee that the input bit b is determined after 
the execution of ROT. In other words, S is not necessarily bound to her 
input. In fact, this is not surprising, since our model places no limitations 
whatsoever on the sender. If S was indeed bound to her input, a straight- 
forward reduction would allow us to build from ROT a statistically hiding 
commitment scheme where the ROT sender is the committer. But since 
the sender is unbounded, she can always break the binding property using 
essentially the standard attack against unconditionally secure quantum bit 
commitment [TBI I2T| . 

A more rigorous definition of Oblivious Transfer is therefore required 
in order to allow for composability. Moreover, we see from the above that 
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satisfying such a definition will require some limitation to be placed on the 
sender, such as a memory bound. This would, for instance, allow using the 
commitment scheme we present later in this paper with the ROT sender in 
the role of committer. These issue will be further addressed in a forthcoming 
paper 

3.2 The Protocol 

We introduce a quantum protocol for ROT that will be shown perfectly 
receiver-private (against any sender) and statistically sender-private against 
any quantum memory-bounded receiver. Our protocol exhibits some simi- 
larity with quantum conjugate coding introduced by Wiesner [25] . 

The protocol is very simple (see Figure^): S picks x £r {0, l} n and sends 
to R n qubits in state either \x), or \x) x each chosen with probability |. R 
then measures all received qubits either in the rectilinear or in the diagonal 
basis. With probability ^, R picked the right basis and gets x, while any R 
that is forced to measure part of the state (due to a memory bound) can 
only have full information on x in case the +- basis was used or in case the x- 
basis was used (but not in both cases). Privacy amplification based on any 
two-universal class of hashing functions H n is then used to destroy partial 
information. (In order to avoid aborting, we specify that if a dishonest S 
refuses to participate, or sends data in incorrect format, then R samples its 
output bits a and b' both at random in {0, 1}.) 



QOT(6): 

1. S picks x £r {0, l} n , and r £r {+, x}. 

2. S sends ■= \x) r to R (i.e. the string x in basis r). 

3. R picks r' Er {+, x} and measures all qubits of \ip) in basis r' . 
Let x' £ {0, l} n be the result. 

4. S announces r, / £r H n , and e := b © f(x). 

5. R outputs a := 1 and b' := e © f(x') if r' = r and else a := and 
b' := 0. 

Figure 1. Protocol for Rabin QOT 

As we shall see in Section [3.51 the security of the QOT protocol against 
receivers with bounded-size quantum memory holds as long as the bound 
applies before Step |1] is reached. An equivalent protocol is obtained by 
purifying the sender's actions. Although QOT is easy to implement, the 
purified or EPR-based version jlHj depicted in Figure El is easier to prove 
secure. A similar approach was taken in the Shor-Preskill proof of security 
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for the BB84 quantum key distribution scheme |26j . 



epr-qot(6): 

1. S prepares n EPR pairs each in state \U) = — ^(|00) + |11)). 

2. S sends one half of each pair to R and keeps the other halves. 

3. R picks r' £r {+, x} and measures all received qubits in basis r' . 
Let x' £ {0, l} n be the result. 

4. S picks r £r {+, x}, and measures all kept qubits in basis r. 
Let x G {0, l} n be the outcome. S announces r, / G# H n , and 
e := b® f(x). 

5. R outputs a := 1 and 6' := e © /(a/) if r' = r and else a := and 
b' := 0. 

Figure 2. Protocol for EPR-based Rabin QOT 

Notice that while QOT requires no quantum memory for honest players, 
quantum memory for S seems to be required in EPR-QOT. The following 
Lemma shows the strict equivalence between QOT and epr-qot. 

Lemma 3.2. QOT is secure if and only if epr-qot is secure. 

Proof: The proof follows easily after observing that S's choices of r and 
/, together with the measurements all commute with R's actions. There- 
fore, they can be performed right after Step 1 with no change for R's view. 
Modifying epr-qot that way results in QOT. □ 

Note that for a dishonest receiver it is not only irrelevant whether he tries 
to attack QOT or epr-qot, but in fact there is no difference in the two 
protocols from his point of view. 

Lemma 3.3. epr-qot is perfectly receiver-private. 

Proof: It is obvious that no information about whether R has received the 
bit is leaked to any sender S, since R does not send anything, i.e. epr-qot 
is non-interactive! □ 

3.3 Modeling Dishonest Receivers 

We model dishonest receivers in QOT respectively epr-qot under the as- 
sumption that the maximum size of their quantum storage is bounded. 
These adversaries are only required to have bounded quantum storage when 
they reach Step |1] in (epr-)qot. Before that, the adversary can store and 
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carry out quantum computations involving any number of qubits. Apart 
from the restriction on the size of the quantum memory available to the 
adversary, no other assumption is made. In particular, the adversary is not 
assumed to be computationally bounded and the size of its classical memory 
is not restricted. 

Definition 3.4. The set 9^ denotes all possible quantum dishonest re- 
ceivers {R n }n>o in QOT or epr-qot where for each n > 0, R„ has quantum 
memory of size at most *yn when Step is reached. 

In general, the adversary R is allowed to perform any quantum computation 
compressing the n qubits received from S into a quantum register M of size 
at most 7n when Step 0] is reached. More precisely, the compression function 
is implemented by some unitary transform C acting upon the quantum state 
received and an ancilla of arbitrary size. The compression is performed by 
a measurement that we assume in the computational basis without loss 
of generality. Before starting Step El the adversary first applies a unitary 
transform C: 

2~™/ 2 Yl \x)®C\x)\Q)^2- n ' 2 \x)®Y. a *>y\^y) M \v) Y ' 

xe{o,i} n xG{o,i} n y 

where for all x, ^2 y |«x,j/| 2 = 1- Then, a measurement in the computational 
basis is applied to register Y providing classical outcome y. The result is a 
quantum state in register M of size 771 qubits. Ignoring the value of y to 
ease the notation, the re-normalized state of the system is now in its most 
general form when Step 0] in epr-qot is reached: 

W) = ^2 a x\ x ) ® \ ( Px) M , 

where Y^ x \ a %\ 2 = 1- 

3.4 Uncertainty Relation 

We first prove a general uncertainty result and derive from that a corollary 
that plays the crucial role in the security proof of epr-qot and thus of 
QOT. The uncertainty result concerns the situation where the sender holds 
an arbitrary quantum register of n qubits. He may measure them in either 
the + or the x basis. We are interested in the distribution of both these 
measurement results, and we want to claim that they cannot both be "very 
far from uniform". One way to express this is to say that a distribution is 
very non-uniform if one can identify a subset of outcomes that has much 
higher probability than for a uniform choice. Intuitively, the theorem below 
says that such sets cannot be found for both of the sender's measurements. 
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Theorem 3.5. Let the density matrix p A describe the state of a n-qubit 
register A. Let Q + (-) and Q x (•) be the respective distributions of the out- 
come when register A is measured in the +-basis respectively the x-basis. 
Then, for any two sets L + C {0, 1}™ and L x C {0, 1}™ it holds that 

Q + {L + ) + Q x (L x ) < (l + ^2- n \L+\\L x \f . 

Proof: We can purify register A by adding a register B, such that the 
state of the composite system is pure. It can then be written as \if^} AB = 
Ylxe{0 i} n a x\x) A \ip x ) B for some complex amplitudes a x and normalized 
state vectors \(p x )- 

Clearly, Q + (x) = \a x \ 2 . To give a more explicit form of the distribution 
Q x , we apply the Hadamard transformation to register A: 



(H® n ® \ B )\il)) 



E 



yj 2-S(-ir 2 o tt |^) 



and obtain 



Q x (z) 



z&{0,l} n xt={0,l} n 



£ 2-%(-ir z a x \ip x ) 

x<={0,l} n 



Let L denote the complement of L + and p its probability Q + (L ) . We 
can now split the sum in Q x {z) in the following way: 



Q x (z)= Yl 2-^-1)^1^) 

xG{0,l} n 



^ £ 2-i(-ir^|^)+ £ 2-3(-l)*-axb*> 



VP-Cz\v z )+ Y 2-%(-l) x - z a x \<p x ) 

x&L+ 

where \v z ) is defined as follows: For the normalized state \v) := ^ zg x + ^\ X )\ ( P^) ^ 
Qz\v z ) is the z-component of the state H® n \v) = ^2 Z Cz\z) ®\v z ) . It therefore 
holds that Y, z IC 2 | 2 = 1- 

To upper-bound the amplitudes provided by the sum over L + , we notice 
that the amplitude is maximized when all unit vectors \<p x ) point in the 
same direction and when (— l) x ' z a x = \a x \. More formally, 



x&L+ 



xeL+ 



a. 
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xeL^ 



< 2~aJ\L 



where © is obtained from the Cauchy-Schwarz inequality. Using £ + and t x 
as shorthands for L + respectively L x , we conclude that 



Q X {L X ) = £ Q x (z) 

< E (iv^-c 2 i^)i + 2-tVF) 2 

<PY1 lC,| 2 + 2-2-fVF £ IC 2 |+^ X -2" 



<p + 2-2-ty^+ /£x £ |^|2 + 2 -^+£ x (4) 



< p + 2V2-"£+^ x + 2~ n tl x 



= l-Q + (L + ) + 2V2~H+F + 2- n £ + £ x . (5) 

Inequality (jl} follows again from Cauchy-Schwarz while in ©, we use the 
definition of p. The claim of the proposition follows after re-arranging the 
terms. □ 

This theorem yields a meaningful bound as long as |L + | • \L X | < (\/2 — 
l) 2 • 2 n , e.g. if L + and L x both contain less than 2 n / 2 elements. If for 
r £ {+, x}, L r contains only the n-bit string with the maximal probability 
of Q r , we obtain as a corollary a slightly weaker version of a known relation 
(see (9) in 

Corollary 3.6. Let g+ and be the maximal probabilities of the distri- 
butions Q + and Q x from above. It then holds that g+ • < \{1 + c) 4 
where c = 2~ n l 2 . 

Theorem 13.51 can be generalized to more than two mutually unbiased 
bases. We call different sets £>°, B 1 , . . . , B N of bases of the complex Hilbert 
space C 2 mutually unbiased, if for all z / j E {0, . . . , N}, it holds that 



%) G^V^) : | (ip\ip) | 2 =2" 



ri 



Theorem 3.7. Let the density matrix p describe the state of a n-qubit 
register A and let B°, B 1 , . . . , B N be mutually unbiased bases of register 
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A. Let Q°(-), Q 1 (-)> • • • ! Q (') be the distributions of the outcome when 
register A is measured in bases B°, B l , . . . , B N , respectively. Then, for any 
sets L°, L\ . . . , L N C {0, l} n , it holds that 

N 2 
i=0 ^ ' 0<j<k<N^ ' 

Proof: Like in the proof of Theorem 13.51 we can purify register A by 
adding a register B. The composite state can then be written as \tp) B = 
^2xe{o l} n a x\x) A \(p x ) B for some complex amplitudes a x and normalized 
state vectors \<p x )- 

We prove the statement by induction over A": For A^ = 1, by applying an 
appropriate unitary transform to the whole system, we can assume without 
loss of generality that B° is the standard +-basis. 

Let us denote by T the matrix of the basis change from B° to B . As 

the inner product between states |</>) £ B° and \(f)') 6 B l is always |(</>|0')| = 

2~ n / 2 , it follows that all entries of T are complex numbers of the form 
2 -n/2 . e i\ for real A g R _ 

It is easy to verify that the same proof as for Theorem 13 . 51 applies after 
replacing the Hadamard transform H® n on the sender's part by T and using 
the above observation about the entries of T. 

For the induction step from A^ to A^ + 1, we define p := Q°(L ), \v) : = 
^%\x)\ip x ), and let ( J z \vi) be the z-component of the state \v) trans- 

x£L 

formed into basis B J . As in the proof of Theorem 13.51 using li as a short 
hand for \U , it follows: 

N N 

i=l i=l z&L 1 

N 



<EE (Mc\vi)\ + 2- n i^t 



2 



N N 



< p ■ E E ici 2 + E ( 2 • + 2 ~ n Wi) 



N N 



2 



<p.Yp i (m + Y J (}-V : ^H^i) -n 

i=l i=l 

where the distributions P l are obtained by measuring register A of the nor- 
malized state \v) in the mutually unbiased bases B l ,B 2 , . . . ,B N . We apply 
the induction hypothesis to the sum of P l (L l ): 

N N N 

EQH^)<p-E pi ( Lt ) + E( 1 + ^ z ™^) ~ N 

i=l i=l i=l 
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< [i-g°(L ^ 



l<j<k<N 



2 



N 



i=i 

<-Q Q (L°) + l-( iV 2 +1 )+ E + V 

0<j<k<J\A 

where the last inequality follows by observing that the term in the right 
bracket is at least 1 and rearranging the terms. This completes the induction 
step and the proof of the proposition. □ 

Analogous to Corollary 13.61 we derive an uncertainty relation about the 

71 

sum of the min-entropies of up to 2 * distributions. 

Corollary 3.8. For an e > 0, let < N < 2^- 6 ~> n . For i = 0, . . . , N, let 
be the min-entropies of the distributions Q l from the theorem above. 
Then, 

N 

Y J H l 00 >(N + l)( log(iV + 1) - negl(n)) . 

2=0 

Proof: For i = 0, . . . , N, we denote by q 1 ^ the maximal probability of Q % 
and let L l be the set containing only the n-bit string x with this maximal 
probability q 1 ^. Theorem \\\ . 71 together with the assumption about N assures 
X^o^oo — 1 + negl{n). By the inequality of the geometric and arithmetic 
mean follows: 

N N / 1 i 7 f \ \ N+l 

E i4 = -,„ gn ^>-iog 

1=0 i=0 \ ~ / 

= (N + 1) ( log(iV + 1) - negl(n)) . 

□ 



3.5 Security Against Dishonest Receivers 

In this section, we show that epr-qot is secure against any dishonest re- 
ceiver having access to a quantum storage device of size strictly smaller than 
half the number of qubits received at Step [2j 

In our setting, we use Theorem l3.5l to lower-bound the overall probability 
of strings with small probabilities in the following sense. For < 7 + k < 1, 
define 

S + := {x e {0, 1}" : Q + (x) < 2~^ +K >} and 
S x := {z £ {0,1}" : Q x (z) < 2"^+^} 
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to be the sets of strings with small probabilities and denote by L + := S 
and L x := S their complements. (Here's the mnemonic: S for the strings 
with Small probabilities, L for Large.) Note that for all x G L + , we have 
that Q + (x) > 2~( 7+K ) n and therefore \L + \ < 2^ +K "> n . Analogously, we have 

| L X| < 2 ( 7+K )n_ Forthe 

ease of notation, we abbreviate the probabilities that 
strings with small probabilities occur as follows: q + := Q + (S + ) and q x : = 
Q X (S X ). The next corollary now immediately follows from Theorem 13.51 

Corollary 3.9. Let 7 + k < \. For the probability distributions Q + , Q x 
and the sets S + , S x dehned above, we have 

q + +q X =Q + (S + ) + Q x (S x ) >l-negl(n). 

Theorem 3.10. For all 7 < \, QOT is secure against Diy. 

Proof: After Lemmata 13.21 and I3.3| it remains to show that epr-qot is 
sender-private against . Since 7 < \ , we can find k > with 7 + k < ^ . 
Consider a dishonest receiver in epr-qot R with quantum memory of size 'yn. 

Using the notation from Section 13. 11 we show that there exists an event 
£ such that P[£] > \ - negl(n) as well as 5({{B}® p k \£], [{B}]® [p^\£]) < 
negl(n), as required by the sender-privacy condition of Definition Let X 
denote the random variable describing the outcome x of S's measurement (in 
basis r) in Step 0] of epr-qot. We implicitly understand the distribution 
of X to be conditioned on the classical outcome y of the measurement R 
performs when the memory bound applies, as described in Section [3.31 We 
define £ to be the event X G S r . Note that £ is independent of B and 
thus [B\£] = [B]. Furthermore, due to the uniform choice of r, and using 
Corollary EH P[£] = \{q + +q x )>\- negl(n). 

In order to show the second condition, we have to show that whenever £ 
occurs, the dishonest receiver cannot distinguish the situation where B = 
is sent from the one where B = 1 is sent. As the bit B is masked by the 
output of the hash function F(X) in Step 4 of epr-qot (where the random 
variable F represents the random choice for /), this is equivalent to distin- 
guish between F(X) = and F(X) = 1. This situation is exactly suited for 
applying Theorem 12. H which says that F(X) = is indistinguishable from 
F(X) = 1 whenever the right-hand side of (|2j) is negligible. 

In the case r = +, we have 



tfoo(X|X G 5+) = - log ( max 9_M\ 

\x£S+ q + ) 



(2-(t+«)"-\ 
t = in + Kn + log(g + ). (6) 
q + J 

If q + > 2"t n then H^XlX G S + ) > + §n and indeed the right- 
hand side of (J2J) decreases exponentially when conditioning on X G S + . The 
corresponding holds for the case r = x . 
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Finally, if q + < 2~2 n (or similarly q x < 2 _ 2 ri ) then instead of as above 
we define £ as the empty event if r = + and as the event X G S x if 
r = x. It follows that P[£] = \ ■ q x > \ — negl(n) as well as Hoo(X\£) = 
Hoo{X\X £ S x ) > 7n + ku + log(q x ) > 7n + |n (for re large enough), both 
by Corollary 13.91 and the bound on q + . □ 



3.6 On the Necessity of Privacy Amplification 

In this section, we show that randomized privacy amplification seems to be 
needed for protocol QOT to be secure. It is tempting to believe that the 
sender could use the xor (J^ X{ in order to mask the bit b, rather than f(x) 
for a randomly sampled / G H n . This would reduce the communication 
complexity as well as the number of random coins needed. However, we 
argue in this section that this is not secure (against an adversary as we 
model it). Indeed, somewhat surprisingly, this variant can be broken by 
a dishonest receiver that has no quantum memory at all (but that can do 
coherent measurements on pairs of qubits). 

Clearly, a dishonest receiver can break the modified scheme QOT and 
learn the bit b with probability 1 if he can compute (J^ Xi with probability 1. 
Note that, using the equivalence between QOT and epr-qot, x^ can be 
understood as the outcome of the measurement in either the +- or the x- 
basis, performed by the sender on one part of an EPR pair while the other 
has been handed over to the receiver. The following proposition shows that 
indeed the receiver can learn ® • Xi by a suitable measurement of his parts 
of the EPR pairs. Concretely, he measures the qubits he receives pair-wise 
by a suitable measurement which allows him to learn the xor of the two 
corresponding Xj's, no matter what the basis is (and he needs to store one 
single qubit in case re is odd). This obviously allows him to learn the xor of 
all Xi y s in all cases. 



Proposition 3.11. Consider two EPR pairs, i.e., \ip) = ^J2 X 



where x ranges over {0, l} 2 . Let r G {+, x}, and let x\ and X2 be the 
result when measuring the two qubits in register S in basis r. There exists 
a fixed measurement for register R so that the outcome together with r 
uniquely determines x\ © xi- 

Proof: The measurement that does the job is the Bell measurement, i.e., 
the measurement in the Bell basis {|$ + ) ; l^" 1- ), |^ - )}. Recall, 

l^ + > = 7f + l n >+) = 7f(l° >* + l n >x) 

l* + > = 7^(|01) + + |10) + ) = -^(|00) x -|ll) x ) 

l*"> = 7f (1°°)+ - l n >+) = ?7f O 01 >x + l 10 >x) 
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1 



(|01) + -|10) + ) 



1 



(|10)x-|01)x)- 



V2 



V2 



Due to the special form of the Bell basis, when register R is measured 
and, as a consequence, one of the four Bell states is observed, the state in 
register S collapses to that same Bell state. Indeed, when doing the basis 
transformation, all cross-products cancel each other out. It now follows by 
inspection that knowledge of the Bell state and the basis r allows to predict 
the xor of the two bits observed when measuring the Bell state in basis r. 
For instance, for the Bell state |^ + ), the xor is 1 if r = + and it is if 
r = x . □ 

Note that from the above proof one can see that the receiver's attack, 
respectively his measurement on each pair of qubits, can be understood as 
teleporting one of the two (entangled) qubits from the receiver to the sender 
using the other as EPR pair (but the receiver does not send the outcome of 
his measurement to the sender, but keeps it in order to predict the xor). 

Clearly, the same strategy also works against any fixed linear function. 
Therefore, the only hope for doing deterministic privacy amplification is by 
using a non-linear function; but whether it is possible at all is not known to 
us. 

3.7 Weakening the Assumptions 

Observe that QOT requires error-free quantum communication, in that a 
transmitted bit b, that is encoded by the sender and measured by the re- 
ceiver using the same basis, is always received as b. And it requires a perfect 
quantum source which on request produces one qubit in the right state, e.g. 
one photon with the right polarization. Indeed, in case of noisy quantum 
communication, an honest receiver in QOT is likely to receive an incorrect 
bit, and the sender-privacy of QOT is vulnerable to imperfect sources that 
once in while transmit more than one qubit in the same state: a malicious 
receiver R can easily determine the basis r £ {+, x} and measure all the 
following qubits in the right basis. However, current technology only al- 
lows to approximate the behavior of single-photon sources and of noise-free 
quantum communication. It would be preferable to find a variant of QOT 
that allows to weaken the technological requirements put upon the honest 
parties. 

In this section, we present such a protocol based on BB84 states 
BB84-QOT (see Figure OJ). The security proof follows essentially by adapting 
the security analysis of QOT in a rather straightforward way, as will be 
discussed later. 

Let us consider a quantum channel with an error probability 4> < s, i.e., 
<f) denotes the probability that a transmitted bit b, that is encoded by the 
sender and measured by the receiver using the same basis, is received as 
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1 — 6. In order not to have the security rely on any level of noise, we assume 
the error probability to be zero when considering a dishonest receiver. Also, 
let us consider a quantum source which produces two or more qubits (in the 
same state), rather than just one, with probability 77 < 1 — 4>. We call this 
the (0, 77)-weak quantum model. 

In order to deal with noisy quantum communication, we need to do error- 
correction without giving the adversary too much information. Techniques 
to solve this problem are known as information reconciliation (e.g. [21) or 
as secure sketches ^3]. Let x S {0, l} e be an arbitrary string, and let 
x' G {0, 1} be the result of flipping every bit in x (independently) with 
probability <j). It is well known that learning the syndrome S(x) of x, with 
respect to an efficiently decodable linear error-correcting code C of length £ 
with minimal distance d = (<p + e)£ where e > 0, allows to recover x from 
x', except with negligible probability in i (e.g. [201 El El)- Furthermore, it 
is known from coding theory that (for large enough £) such a code can be 
chosen with rate R arbitrary close to (but smaller than) 1 — h((f>), i.e., such 
that the syndrome length s is bounded by s < (h(ip) + e)£ where e > (see 
e.g. [S] and the reference therein). 

Regarding the loss of information, we can analyze privacy amplification 
in a similar way as before, just by adding the syndrome S{x) to the random 
state p. Using that So(\{S(X)}(&p\) < q + s, Theorem 12 . 1 1 then reads as 

d(F(X) \{F}®{S(X)}®p) < ^-^oW-'-*- 1 ). (7) 

Consider the protocol BB84-QOT in the (</>, r/)-weak quantum model shown 
in Figure [21 The protocol uses a efficiently decodable linear code Cg, param- 
eterized in I £ N, with codeword length I, minimal distance d = ((f) + e)£, 
and rate R = 1 — h(cp) — £ for some small e > 0. Let Si be the corresponding 
syndrome function. Like before, the memory bound in BB84-QOT applies 
before StepEJ 

By the above mentioned properties of the code Cg, it is obvious that R 
receives the correct bit b if r' = r, except with negligible probability. (The 
error probability is negligible in £, but by Bernstein's law of large numbers, 
£ is linear in n except with negligible probability.) Also, since there is no 
communication from R to S, BB84-QOT is clearly receiver-private. Similar 
as for protocol QOT, in order to argue about sender-privacy we compare 
BB84-QOT with a purified version shown in Figure [U bb84-epr-qot runs 
in the (cj>, 0)-weak quantum model, and the imperfectness of the quantum 
source assumed in BB84-QOT is simulated by S in bb84-epr-qot so that 
there is no difference from R's point of view. 

The security equivalence between BB84-QOT (in the (4>, r/)-weak quantum 
model) and BB84-EPR-QOT (in the (</>, 0)-weak quantum model) is omitted 
here as it follows essentially along the same lines as in Section fM, 21 
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bb84-qot(6): 

1. S picks x G R {0, l} n and 9 £ R {+, x} n . 

2. S sends Xi in the corresponding bases \x{) e , . . . , \x n ) dn to R. 

3. R picks r' G_r {+, x} and measures all qubits in basis r' . Let 
x' £ {0, l} n be the result. 

4. S picks r e# {+, x}, sets I : = {i : 6i = {+, x}[ r ]} and £:= \I\, 
and announces r, I, syn := S^(x\i), f ELj, and e := 6© /(x|/). 

5. R recovers from x'\j and syn, and outputs a := 1 and 6' : = 
e © /(^|/) if t' = r and else a := and 6' := 0. 

Figure 3. Protocol for the BB84 version of Rabin QOT 

Theorem 3.12. In the ((j),T])-weak quantum model, BB84-QOT is secure 
against 1H 7 for any 7 < — (if parameter e is chosen small enough). 

Proof Sketch: It remains to show that bb84-epr-qot is sender-private 
against QS 7 (in the (0, 0)-weak quantum model). The reasoning goes exactly 
along the lines of the proof of Theorem 13.101 except that we restrict our 
attention to those i's which are in J. By Bernstein's law of large numbers, 
t lies within (1 ± e)n/2 and \J\ within (1 — 77 ± e)n/2 except with negligible 
probability. In order to make the proof easier to read, we assume that 
£ = n/2 and \ J\ = (1 — n)n/2, and we also treat the e occurring in the rate 
of the code Ci as zero. For the full proof, we simply need to carry the e's 
along, and then choose it small enough at the end of the proof. 

Write n' = \ J\ = (1 — rf)n/2, and let 7' be such that 771 = j'n', i.e., 
7' = 27/(1 — 77). Let 5 + and S x be defined as in Section l3~5l but with 
respect to n' and 7' (and some k < \ — 7'). It then follows as in the proof 
of Theorem 13.101 that 

^(XIj^Ij G S + ) > 7 V + kti' + log(q+) 

= 771 + k(1 — 77)71/2 + log(g + ). 

Similar as in the proof of Theorem I3,10[ one can make a case distinction 
on q + (whether q + > 2~ en or q + < 2~ en ), and in both cases argue that 
the min-entropy in question is larger than 771 + k(1 — rf)n/2 (± some en's). 
By ©, it remains to argue that this is larger than q + s = "fn + h((p)n/2, 
i.e., 

k(i - 77) > h(<f>) , 

where k has to satisfy 

k<\-i = \- 27/(1 - v) ■ 
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bb84-epr-qot(6): 

1. S prepares n EPR pairs each in state \U) = -^(|00) + Ad- 
ditionally, S initializes I', := and I' x := 0. 

2. For every i £ {1, ... ,n}, S does the following. With probability 
1 — rj S sends one half of the i-th pair to R and keeps the other 
half. While with probability r] S picks 9, L £r {+, x}, replaces Iq, 
by Iq. U {i} and sends two or more qubits in the same state \xi) g . 
to R where Xi £r {0, 1}. 

3. R picks r' £r {+, x} and measures all received qubits in basis r' . 
Let x 1 £ {0, l} n be the result. 

4. S picks a random index set J Cr {l,...,n}\ U I' x ). Then, 
it picks r £r {+, x}, sets / := J U I' r and £ := \I\, and for each 
i G J it measures the corresponding qubit in basis r. Let Xi be 
the corresponding outcome, and let x\j be the collection of all 
Xj's with i £ I. S announces r, /, syn = Si(x\i), f £r H^, and 
e = bef(x\ I ). 

5. R recovers x\i from and syn, and outputs a := 1 and 6' : = 
e © f(x\i), if r' = r and else a := and 6' := 0. 

Figure 4. Protocol for EPR-based Rabin QOT, BB84 version 

This can obviously be achieved (by choosing k appropriately) if and only if 
the claimed bound on 7 holds. □ 

4 Quantum Commitment Scheme 

In this section, we present a BC scheme from a committer C with bounded 
quantum memory to an unbounded receiver V. The scheme is peculiar since 
in order to commit to a bit, the committer does not send anything. During 
the committing stage information only goes from V to C. The security 
analysis of the scheme uses similar techniques as the analysis of epr-qot. 

4.1 The Protocol 

The objective of this section is to present a bounded quantum-memory BC 
scheme COMM (see Figure EJ- Intuitively, a commitment to a bit b is made 
by measuring random BB84-states in basis {+, xjry. 

As for the OT-protocol of Section 13.21 we present an equivalent EPR- 
version of the protocol that is easier to analyze (see Figure EJ) • 
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COMm(&): 




1. V picks x £ R {0, l} n and r £ R {+, x} n . 




2. V sends Xj in the corresponding bases \xi) r , |^2) r 2 , 
to C. 


• • • j \ x n) rn 


3. C commits to the bit b by measuring all qubits in basis 

Tj_ / ^ T n 1 "1 ?7 l j_1 li. 

Let x G {0, 1} be the result. 


{+> X }[(,]• 


4. To open the commitment, C sends b and x' to V. 




5. V verifies that Xi = x\ for those i where = {+, x}^. 
if and only if this is the case. 


V accepts 


Figure 5. Protocol for quantum commitment 



Lemma 4.1. COMM is secure if and only if epr-COMM is secure. 

Proof: The proof uses similar reasoning as the one for Lemma 13.21 First, 
it clearly makes no difference, if we change Step El to the following: 

HSJ. V chooses the subset I, measures all qubits with index in / in basis 
{+, x}[b] and all qubits not in I in basis {+, x}[ 1 _ b j. V verifies that 
Xi = x[ for all i 6 I and accepts if and only if this is the case. 

Finally, we can observe that the view of C does not change if V would have 
done his choice of / and his measurement already in Step 1. Doing the 
measurements at this point means that the qubits to be sent to C collapse 
to a state that is distributed identically to the state prepared in the original 
scheme. The EPR- version is therefore equivalent to the original commitment 
scheme from C's point of view. □ 

It is clear that EPR-COMM is hiding, i.e., that the commit phase reveals 
no information on the committed bit, since no information is transmitted to 
V at all. Hence we have 
Lemma 4.2. epr-COMM is perfectly hiding. 

4.2 Modeling Dishonest Committers 

A dishonest committer C with bounded memory of at most qubits in 
epr-COMM can be modeled very similarly to the dishonest OT-receiver R 
from Section T3.3I C consists first of a circuit acting on all n qubits received, 
then of a measurement of all but at most jn qubits, and finally of a circuit 
that takes the following input: a bit b that C will attempt to open, the 
qubits in memory, and some ancilla in a fixed state. The output is a string 
x' G {0, l} n to be sent to V at the opening stage. 
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COMM(6): 

V prepares n EPR pairs each in state |0) = "^(|00) + |11)). 

V sends one half of each pair to C and keeps the other halves. 

C commits to the bit b by measuring all received qubits in basis 
{+, x} [b] . Let x' e {0, l} n be the result. 

To open the commitment, C sends b and x' to V. 

V measures all his qubits in basis {+, x}[b] an d obtains x £ 
{0, l} n . He chooses a random subset / C {l,...,n}. V veri- 
fies that Xi = x\ for all i € I and accepts if and only if this is the 
case. 

Figure 6. Protocol for EPR-based quantum commitment 

Definition 4.3. We define £ 7 to be the class of all committers {C n } n >o in 
COMM or epr-COMM that, at the start of the opening phase (i.e. at Step^), 
have a quantum memory of size at most jn qubits. 

We adopt the binding condition for quantum BC from |14j : 

Definition 4.4. A (quantum) BC scheme is (statistically) binding against 
£ if for all {C„}„>o € £, the probability Pb(n) that C n opens b 6 {0, 1} with 
success satisfies 

Po(n) +pi(n) < 1 + negl(n). 

In the next section, we show that EPR-COMM is binding against £ 7 for any 
7 <|. 

Note that the binding condition given here in Definition 14.41 is weaker 
than the classical one, where one would require that a bit b exists such that 
Pb(n) is negligible. In the context of quantum bit commitment, this weaker 
definition is typically justified by the argument that this is the best that 
can be achieved for a general quantum adversary who can always commit 
to and 1 in superposition. However, an adversary with bounded quantum 
storage cannot necessarily maintain a commitment in superposition since 
the memory compression may force a collapse. Indeed, in upcoming work, 
we show that commitment schemes exist satisfying the stronger binding 
condition in the bounded quantum-storage model [S]. While the weaker 
condition is sufficient for many applications, the stronger one seems to be 
necessary in some cases (see the conclusion). 
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4.3 Security Proof of the Commitment Scheme 

Note that the first three steps of epr-qot and EPR-COMM (i.e. before the 
memory bound applies) are exactly the same! This allows us to reuse Corol- 
lary 13.91 and the analysis of Section 13.51 to prove the binding property of 

EPR-COMM. 

Theorem 4.5. For any 7 < ^, COMM is perfectly hiding and statistically 
binding against <£ 7 . 

The proof is given below. It boils down to showing that essentially po{n) < 
1 — q + and pi(n) < 1 — q x . The binding property then follows immediately 
from Corollary 13.91 The intuition behind po(n) < 1 — q + = 1 — Q + (S + ) is 
that a committer has only a fair chance in opening to if x measured in + 
basis has a large probability, i.e., x S + . The following proof makes this 
intuition precise by choosing the e and <5's correctly. 

Proof: It remains to show that EPR-COMM is binding against Let k > 
be such that 7 + k < i. For the parameters k and 7 considered here, define 
Q + , S + and q + as well as Q x , S x and q x as in Section 51 Furthermore, let 
< 5 < 5 be such that h(S) < k/2, where h is the binary entropy function, 
and choose e > small enough such that h{5) < (k — e)/2. This guarantees 
that B Sn < 2( K ~ E ) n / 2 for all (sufficiently large) n. For every n we distinguish 
between the following two cases. If q+ > 2~ en / 2 then 

i?oo(X|X e S + ) > -yn + ku + log(g + ) > 7 n+ (k - |)n 

where the first inequality is argued as in Applying Lemma [2 .21 it follows 
that any guess X for X satisfies 

Pr [X € B 5n {X) I X G S + ] < 2-K^(^l^eS+)- 7 n-i)+iog(B^) < 2 -|n+i_ 

However, if X ^ B 6n (X) then sampling a random subset of the positions 
will detect an error except with probability not bigger than 2 _<5n . Hence, 

p (n) = (1 - q + ) ■ Po\ X £S+ + Q + ■ Po\x&s+ 

< 1 - q + + q + ■ {2- 8n {l - 2"S n+ 5) + 2~i n+ ^). 

If on the other hand q + < 2~ £n / 2 then trivially 

Po(n) <l = l-q + + q + <l-q + + 2~ en/2 . 

In any case we have po(n) < 1 — q + + negl{n). 

Analogously, we derive p\(n) < 1 — q x + negl(n) and conclude that 

Po(n) + Pi{n) < 2 — q + — q x + negl(n) < 1 + negl(n), (8) 

where © is obtained from Corollary 13.91 □ 
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4.4 Weakening the Assumptions 

As argued earlier, assuming that a party can produce single qubits (with 
probability 1) is not reasonable given current technology. Also the assump- 
tion that there is no noise on the quantum channel is impractical. It can be 
shown that a straightforward modification of COMM remains secure in the 
(4>, rj)-weak quantum model as introduced in Section 13.71 with cf> < ^ and 
rj < 1 — 4>. 

Let COMM' be the modification of COMM where in Step V accepts if 
and only if X{ = x\ for all but about a (ft-fraction of the i where = {+, x }ry . 
More precisely, for all but a (0+ effraction, where e > is sufficiently small. 



Theorem 4.6. In the (<j), n)-weak quantum model, COMM' is perfectly hid- 
ing and it is binding against £ 7 for any 7 satisfying 7 < i(l — r/) — 2h((j)). 

Proof Sketch: Using Bernstein's law of large numbers, one can argue that 
for honest C and V, the opening of a commitment is accepted except with 
negligible probability. The hiding property holds using the same reasoning 
as in Lemma 14. 21 And the binding property can be argued essentially along 
the lines of Theorem l4.5| with the following modifications. Let J denote the 
set of indices i where V succeeds in sending a single qubit. We restrict the 
analysis to those z's which are in J. By Bernstein's law of large numbers, the 
cardinality of J is about (1 — rj)n (meaning within (1 — r/ ± e)n), except with 
negligible probability. Thus, restricting to these i's has the same effect as 
replacing 7 by 7/(1 — rj) (neglecting the ±e to simplify notation). Assuming 
that C knows every Xi for i J, for all Xj's with i G J he has to be able to 
guess all but about a 0/(1 — ^-fraction correctly, in order to be successful 
in the opening. However, C succeeds with only negligible probability if 

<f>/(l-v)<5. 
Additionally, 5 must be such that 

h(5) < £ with — — + k < ^ . 
2 1 — 77 2 

Both restrictions on 5 hold (respectively can be achieved by choosing k 
appropriately) if 

\l-nj I-77 2 

Using the fact that h(up) < vh{p) for any v > 1 and < p < ^ such that 
up < 1, this is clearly satisfied if 2/i(0) + 7 < 5(1 — 77). This proves the 
claim. □ 
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5 Generalizing the Memory Model 



The bounded quantum-storage model limits the number of physical qubits 
the adversary's memory can contain. A more realistic model would rather 
address the noise process the adversary's memory undergoes. For instance, 
it is not hard to build a very large, but unreliable memory device containing 
a large number of qubits. It is reasonable to expect that our protocols 
remain secure also in a scenario where the adversary's memory is of arbitrary 
size, but where some quantum operation (modeling noise) is applied to it. 
Inequality Q of the Privacy Amplification Theorem 12.11 allows us to apply 
our constructions to slightly more general memory models. In particular, all 
our protocols that are secure against adversaries with memory of no more 
than jn qubits are also secure against any noise model that reduces the rank 
of the mixed state [p], held by the adversary, to at most 2 7 ™. 

An example of a noise process resulting in a reduction of Sb([p]) is an 
erasure channel. Assuming the n initial qubits are each erased with prob- 
ability larger than 1 — 7 when the memory bound applies, it holds except 
with negligible probability in n that S'oQp]) < jn. The same applies if the 
noise process is modelled by a depolarizing channel with error probability 
p = 1 — 7. Such a depolarizing channel replaces each qubit by a random one 
with probability p and does nothing with probability 1 — p. 

The technique we have developped does not allow to deal with depo- 
larizing channels with p < 1 — 7 although one would expect that some 
< p < 1 — 7 should be sufficient to ensure privacy against such adversaries. 
The reason being that not knowing the positions where the errors occured 
should make it more difficult for the adversary than when the noise process 
is modelled by an erasure channel. However, it seems that our uncertainty 
relations (i.e. Theorems 13.51 and 13. 7|) are not strong enough to address this 
case. Generalizing the bounded quantum-storage model to more realistic 
noisy-memory models is an interesting open question. 

6 Conclusion And Further Research 

We have shown how to construct ROT and BC securely in the bounded 
quantum-storage model. Our protocols require no quantum memory for 
honest players and remain secure provided the adversary has only access to 
quantum memory of size bounded by a large fraction of all qubits transmit- 
ted. Such a gap between the amount of storage required for honest players 
and adversaries is not achievable by classical means. All our protocols are 
non-interactive and can be implemented using current technology. 

In this paper, we only considered ROT of one bit per invocation. Our 
technique can easily be extended to deal with string ROT, essentially by 
using a class of two-universal functions with range {0, l} in rather than {0, 1}, 
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for some I with 7 + 1 < \ (respectively < ^ ^ for bb84-qot). 

Although other flavors of OTs can be constructed from ROT using stan- 
dard reductions, a more direct approach would give a better ratio between 
storage-bound and communication-complexity. More general security def- 
initions allowing for better composition (such as universal composability) 
briefly discussed at the end of Section 13.11 also disserve to be studied. Re- 
cent extensions have shown that a 1-2 OT protocol built along the lines of 
BB84-QOT is secure against adversaries with bounded quantum memory 
Interestingly, the techniques used are quite different from the ones of this 
paper (which appear to fail in case of 1-2 OT), and they additionally allow 
to analyse and prove secure the bit commitment scheme COMM with respect 
to the stronger security definition, as discussed in Section 14.21 

COMM can easily be transformed into a string commitment scheme simply 
by committing bitwise, at the cost of a corresponding blow-up of the com- 
munication complexity. In order to prove this string commitment secure, 
though, it is necessary that COMM is secure with respect to the stronger 
security definition. 

How to construct and in particular prove secure a more efficient string 
commitment scheme is still an open problem. Furthermore, it is still un- 
solved how to construct and prove secure a 1-m OT protocol, more efficient 
than via the general reduction. 

Finally, finding protocols secure against adversaries in more general 
noisy-memory models, quickly discussed in Section |SJ would certainly be 
a natural extension of this work to more practical settings. 
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